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l.ABSTRACT 

Thi^ papt^r diwtisxes; on€ of (he first elfbris erf devt'ioplrtf> a 

SA>Citnty- Oft a {-{mibuiaiii'm of hardwa/e and softWaf^ 
if//f.i%/.j. Jhitures- The ..piipif^t'xlorts sytfh ^in overview of th(f 
SiecurUy n-^Lf^va^n f^tamre^\ cff the 8iMS6 ari hifeciuf^r and 

eftvironm^nrs of the 804S6 micropi-&(:essor. in pankuiar, 
f>rf:ifecu-(I f?wde fiztisures includmg s^gmem.^, descriptor 
{ii.bh\'>\. g<iU''Sy pnvt^ege levels a*id I'ask Sfaie SegmenU are 
pre.^emed as a preinde it:^ a mof-e" df^fmhid disvusx 
em:h feature hn^r in the pay tr. The vaiur of ench of lhrx^ 
fei'ttur^s *Vf thif dev^i&fmw.ni <;>/ a iruxUfd op(:'raUn^ 
env(nmm.enf h tixptored. This groundwork in pli^ce, th^i 
pa{>0r drScf ihes die itppUcducm of thi? :8<)486 femtirt^y icf 
fke d£vt^iopFrienf <;f j)e{:unry .'tofcware for the Mer<-ury 
NTDH (Near JWm Digdaf RadiQ). Th^^ def^^ikd 
desmpi^on, of the mftyviire art[:hde^^^ clmes, -wifh a 
discussion i/f the rote fff ih^ ($()4S& ftiituT^s in iojtw^ire 
asmrahc^. 

Tht^ purpose: of tJ^<?. Mcrcwry NTDR Inf^mjati^a ^i^^ 
<ilniosec) Sut>sysie?Ti h IP jirOyide the Mi;tco:i:-y N'tDR 
system with ehiiipypl/dij^ciFyjH ca:|Mit>ijTiies siictifc; 

Thk paper ckiscribes the rcjJt? of the S()4^J6 micmpro^:essoTr 
SR iJSsufTftg feyslcm scttirit^ mx^ idiita jmegflty m the 
lirpiUsxi of ihc NTDR Ii;ifo3>t?c K>fi:ware Of 

fM-o.*eCiied nsode- faciltlsics tfie rcfquired .sep^atk^K of red 
^afst ftti^a^ bf^ck d<i£3 in the sysie^mi. Since the re^ and black 
data arie n<>r phyKicaliy separatcd.^^ {Jesirable- to have n 
guaui wmchitsg the l>6rtte Ideaily , thie guard « on clwy 
aii times, cm dti&ci ^iwd: report vipJaiiOfts and opcsriaies 
iridispendenily of t^»e h4fSlt?d softwacis. The s^tf&^es 
thtise recent fcmenls, 

Whfiiiv irun in j;»r0tee*e4 mocte, xtvej: S04Si5 can allow t>r 4my 

rwlc:?^ thai >re iwdcjpen^icnt Oii" the 'prt>gram" ihm is jruiaairig. 
'Micrtjcsode ifthercrit to iM S04^6 iiioftitOfS the rjiemojy 



acce«sics at a fijie level of gramilarity. C»$tDmi£«^ accefSii 
nikis linked i'mcii ihc ierxecttiabtie iirsa^gie iin^ 5eA"Uf»jty 
bac;ttbane of lh« syst<3m ;ttid serve to (itveoupje sphef:*:'* of 

The vgtiuc ot each of the ii04$5<? pixiiecufccl triode feattiies 
GinpJoyed in tlie NTDR Mia^- "design is dteisiic^d in 
gr<;mct dclaij in ihe sections whi^^ CJipablUty 
of the S{>486 to tteJctt atTtd n^g faiitttii^> ditti to fmiky 
cotrtpimiiMs. or ertoJieous code in proteettjci mode is ^*bo 

Fhis pajx^f covers the devtj!io^>m^ nt of a secure aperau^g 
^iysiem hosted oo Aiihowgh not .ilVponionir cvi an 

wpcratJBg syiJteyi^ Jiix; m^stc^d^^ the design pliitoopby i^^: 
strc^ri^ fi^nc-es make ^<K^d n^ighhors, fx} \hn &f^d, wc? enlfsr 
ihc protected TYiode ibaiiifes of the S{:^t86 micropiCK-cssor 
This rciQiit ofier!* the de&igiief mmy tools m 
bMliding of sc:curc soi'twaTe . 

The B04B6 bii r*?^! ?ir!<?4«^ the dtffauJt mode t>f iht 
8(>^4??6 ttiieroprfjce.^sor folkswing re&et: VVhsu iht- processoi 
opcTaies in iml TFStJde, control imnsfers. and Fn^?mc>ry 
access^es occur vvithoiit ec^nsEravr^l, except for tnifinnat 
,^ddjcss lan^^fi cheekssrui. ITtt; prxHcctt'd jriodtr, by 5:;c>rttrast, 

lirtim conucyl nmnftiK pe^rtorms tiyiomatic priviv^igjej level 
checks or* conircji o aj^sfera md d&i^ accesses and ctitijrces^ 
both SocaJiy and glc*hvdiy detltml aecess rig^^ a tMK 

by tasJt bSiSi&. 

How does the kJiiow Which opemUk^ns to billow snd 

which lo deoy? There afe .sevcfai pioiccicd mode sysiein 
simciTire;^ which captuie tite "riifes' of ihe Sysitem, Thcfic 
rules are tonncd by the opejatiJig; 'iy sVt^iji designer dvuiiig 
dcsigii phase and a^re then aHoc^ted to the appropiiate 
system stmctjiies. ll^e stractwres are liitked imo the finat 
executiihle iiTstige, At Riri tiyinfc, E^iyiiie of tfjese struct lijes are 
neeej^sartiy copied to th^ir iinai dcatirisiiori?; in. RAM 
where: they may tie wrftteri lio by the 864$^ rmctocodft as 
Jhe system mos. 

In piotected mode, the; hasie buiktifng hiock is the segiYkCfst. 
A 5ie^ merit dehn&sie* ai corkHjguo»s hJock of byte$. with 



A segment <lKscriptor is arsothef buiJ<j»ig biock. ii is 
comprised of eight byu^s t>f encotfed abtnit a 

^gmcnt*s iimTijutes. jn ltisii esght bytes, a descriptor mn 
M\y captijfe Che ait!rii>uies of a c»Htig^tC)WS b}<>cife of 
ittemofv. Tliss is the mfomatipn ihat the 5?04S6 isses: t^j 
validate pdvi lege wm« permU$ic>r^ tie . *4t rtsn tsn*i? / 
tieserij IDIOTS for Ssvf^m^^ii^ts ibm arti ct>.iviTTJ.oa it) the whoie 
system can be :g^^^ imo dtj.seripEpr tai>Jt? ccilkd i{>e 
S)?s?em GlobiJj: Deicnptor l atiie, m GDT The dcscripiors 
ft>r segrfjejKs of memoty thai should not be Avidely 
«iv?iiiabie aits ailoeai^sel to f>mi or more Lcst^sl DestTipttjr 

}^iniin,y. wt: hiivc s^^Scct of s A s«^3e^cftM selects a descrif^ior 
m eith(ir iher CU>T m rh« curr&rtt LOT. Wher^ does the 
seliTijSOf come ffOm? When a rc^^viiii^e is eonspiikd and 
Im3cc4, iM^- memofy acce:>5jt^s fjpecifsetj m theVinstmcii.tfws. 
ro&C^Jve tL> piijjs wntit::!!, selector .ifffsef. The rob of thtJ 
offset is i(> pmpamt af> tix;icv b>te j^otne di&iaricc froBi thts 
Siaxt of ifae segmciTtt basi? sddri^^S- 
byjss of phy sical m<;nior>' whieh ^hure tcintnpii fstttibuSeV. 
The atttibuii^s 3r£i i^pcctficd a i><^me«i> su^ a* 
base a^Stos^, limu, a^^ iw:m<is r^hti* ate caplufea in a 

Theixf: are several catejs6ri'e.> cif iEcgfiirms. Cwie »^Ggfnt:«its, 

execwtaiWe cekJ*; of a sy^i™ a& wqfr iis any ROM aSMe 
tai>ipiii D^Ss ^gmeYJts typsciilly f^^iide in: RAM. StJM?*!^ 
segments :jI Wti^/s reside m RAM Task Stasis Sfighients 
^T$Ss) reside in RAiV! sn<l hqfd task ctwext »ift>JTnkioJi. 

A i^t^gmcm la. iic^utihcxi hy a d.escipKn-. Tht: sysiiim 
desigfier as^sigf *s catch <iescf Iptor to the CjiobaJ Pe^cripiof 
iWle iff ib fiJte or s«ope t^c^tl Deseti pior TiibJes . 

Aft lnterujj*l DtfStrip^^^^ T;ible (IDT) coriiiaj«s deschfjioj s 
thai art! ustsi^ ip }i^iHl|j?>g isiternipis. Tfatese deKcriptar^f cmi 
h& task jgaje i3e&ertjn^>fiiv ira|j^ tie.siTipfcors juid itim 
gate descriptorB: 

A du\^cripiot jxrc>yid&!i drtijikd ijfjJoai^atson aljCHit a 
niemtsry segr^jeni other HO^i^i^ pipttjcieti mode 

Pof exampJe, thete ate dcscripioris for t'odtv$egm£rni3i, tia^a 
segTRcrtts, sij^ck segm«:m^s /T^^ ar>d LDT^ [1, 2, 3| The 
prcjiected mode afchite^turL* aUo prOvkks for 
im^Rtipi gate. itHp gsie, gate, arid rasK ^ftite 



iieScjriptoi s, 

Seiecioj;^ j*;?^ mtd to iict^ct a tabJe and a dtJscdptor within 
ihat mble whcite rhe tabk be the GDT s>r an LDT [3] 
The ths^e fid<^s «f i\ mk^im mC' tUe fabie Index, ihe 
Ttibie Ijiiitcalot and the Rec:jucsicfr Povsie^ i.ev«i- The 
Table used to ilideX iirto the mfe^ie tridioatcd by ihe 

lable ifidieator. It tlie tab^c Micaiot equals item, tfee 
GD7' is th^x im-i^fil. Qil^e* wise; the ciiitenfc I PT is the tatgct 

4> 8«4$6 f^ROTEC: PEP IN PR Aipl?€)^ 

Tlxe study <>f thci 80486 proiCExted nttidc features can be ^» 
datijjtir*g task as the «;<mci5pts are scj intevtlepcTidcFJi. To 
«mie?stiinff seiettDis, oh« must smdy dtiscnptors which in 
mm demaiid m isncSerstamhng of segments arid tables: It* 
the pfevious secJiion, some jj^ttoducro^-y inatenal was 
prescfited in an t;ffori to ifxtroduce the? J^adf;r io protected 
rrjode concepts <mii lermmt^Jogy 

4,1 USING TME GLOBAL DESCRIPTOR TABLE 
The G0T can ft'^idc in reac^ortly inemory , hov^e vtirv fo^^^ 
systems thfir impJemem tfie la^Jfcing tviDdel the GOT 

must be svnteabie iiecause the 8f*^86 iiptoes aiul veriti-es 
the TSS dcs<;optpf:s ttemg ti*&k i^^iichmg. 

LbTs csfi safeiy iittked EO ROM locatiorfci ifi tb^ 
eiXccUtabte as ltni:jg; as the p^jf^fatirig tior track 

the 'ijtx'esscd bit" . Ti^^h^^n cotk, daia and stack segjr^em ar& 
aci^essed. the 80486 sets the 'acc*Jt?.Ned bit' ih ihe scgirieni 
des-£:ripK>v, l-^J $cs»>e operatifig sy^stci«:s manage memory 
fesouTces by monnoring ihe accessed bit. l^or those typhis 
f>f 5ty5jtem?> ihfc iyDTs need toT^ allipicated to \yriteat>ie 
memory. 

4,3 €OB E SE<3MENT SELECTION 
As a progsctm airss, tht^ E^^ktM [X:ifoTUis validatson of cod^r 
^tmk ^^grrwjnts !>eif3g accessied by Cvir^rUi^ly 
analy^mg segment descriptor con t<im PJ Foj code 
segmems, there cm be a pnvjtege chj^ck, offset hmit 
validation, accei^s f^ghtii; ViiJidatioo arid selecuir validrttion. 
As, <in exiimpl^:, s:Onsid<:t the S^>486 ^MP uJ^^tnJCtionv 
Before pcrforaihjg tiie jimtp, the 3^04^6 peiibmis stiver**! 

n > 2, 3] Vqv every mm s^pncm jutnp (ne^r Jiimp) the 
afl sei Of the destination muM b<i wHhiirthe hmits of tiie 
curicni sicgmerit, 

|1, 2> 3] Foi ei.-£f^y im^r-^^^mcni {tm jwitip), the 

givert s<;*;lcciOf ts scmrn^i^ed the: :^I048^6 Tl^c s-clectar 
mmt oot hi^ n\iU The tabic indicaior rtm^t \d^m\ fy si valid 
tat jle/ The table mdex mwst f lot exceed the hitiit of ihe 



13] N<?xt, the descjiipior selected k .scrutim?A>d by the 

Jffyei ciheck h pejfprmed. The; e)ffs(55 jx»«ib« of |iie 
sjpiecitof 'bffie; pak mim be witbin ijie ct>tJe ?i(s^frtcm lim?t. 

The i«teii"-segmirrn ehiieks atsi ptiff^MTJKitl ft! evcFV lask 
switch res uftsiig JVqm call of liiiiotbei- lask, a reiiifn lo a 
ijask, xim servicing of a^^ in$cn^jpt by a t^isk or a simple 
iYit^si-scgfrtcut ju5T,*|) m call ilftcsci eh^^Clks ate suppiement-tti 
by chcciks at the task ga^e^ TSS. daia segmsnj anU sfack 

TKe se Eectot ci teeks aire peif omted ^vhea the large jf strinor*' 
^pd^^ is iisetl itfid thi:>« is a memory Recess attfeinpf. Tiie 
s<?icct«r checks also oceiiir vvhera certai» 804S6 legjsieisv 

Jhe couriic s)f program execution, 

4.4 DATA SEGMENT' SELEC'VION 

cheek IS performtfjfj, the offsi^t is varkiiUGdv atccss tights 
ar«3 Vjaitdaliid m^<i ih«s sefeciMx i$ vitJtiiaied. Those eheeks^ 
arc pErf'ortned awlomaijcaJJy by the S{MS6, 

PI For ^^v'ffn': ijitf a';&Ggms?rti aETcres^ (i^e^ir n-cces^) llm <>ih'S^^ 
of the ilestifjatiort fJiiist be wiitbm thtr ^hniU cji the target 

f"'*-*^'j^''^'*^''"y Vnrt?r-:seprtont iioces.^. {I'ar acces^>)^ ihe j^ivfrn 
selector is SGRttisii7;e<l by the §04H6 prior to bcijig k>ackd 
j nio tme cA the tiatii se»raerif jxjgisicrs TJse selecior ^hDuid 

it?i used. This i;d>ie VFjdicaiOF is Vitlidaictj The iMfic mdsx 
provided by Ihe seiccltVF rriusr rJt»t cXeetxi the iiitnt of tj^^ 

l^i Next, tbe <ies^fip?oc seJectetl hy the seieeior jj^ 
senjiimxed by the The StrgsTtens Preterit hii m use be 

set. The priviiege leveJ check is perfemied, Hire Aece^j; 
Rights b)ftC! mujii bti vajid, Tbc offset m«s.l be within the 

BcfOfc a Siaek s:^£^Trscm is: acCefseU its deii<n:iptiLjr ii 
Tf^^tid^ttcd Vf^tn: iiiack ^ii^ idescnpiGr rrmsi i{idk-<it5e 

thai; rhe lai^gc! m^jrtpry c^i^ be vtrMieti to. tfj lid^itj^n, th^ 
pinvj:fegc is :chei£rkt;4 and tfic ^ofi'sct ij™ iacccss lijgjjts aixi 
selcctijr jstre. Vialidatcd. Fof exafjiple, consider the 
MOV and PUSH jn&truetiojs Before pfeifiormkjg iht 
the pei1<>nns a liiiiJ of cheeks. For emjy 

hnm-segwef*t access (TicaT scct-ss) the rscw vaki? of" tiic 
&tsck. pohUer rriu^t be yaiidi, Tl^j^ tafget stack ^egir>eiii: iriiist 
be vwiitcft^Jlc, 



\S} For ^i'f n: i«tet -segment aeeess (far hcms^s) the giveFf 
i«ketor Is scrydnijred by the prior to a MOV 

i«.sii^icti<*n lrt»it3mg !h« : rfi^gis^ei • with the selector 1'he 
sifjeetor must liot be miH. The tabJe mdioaior must be 
viihd. 1 "be tabic iRdi^iit rrtusi jiar exceed the limit af ihe 
u«bte speeified. 

Next, the: desert ssetettM by the seriecu>r i& 
iicrwiiTii^^d by tbc 8C>48(> dviiriji^g a PUSII wsthactiOn. TOc- 
S^giTiem pre^trrn bit f«»)j.i be ^trt. The RPt . tht; CI^L ^nd 
the DPI. rrui^i be e^^tiat 'Hie farj^et sr-ack segrnm must bfe 
wjittabk: The n<s\y yste of the stack pt>iEitcr loiu&t be 
valid- 

I'hc s«?leciaf cht^cki are peffanTicd wh€?n Ih*? Stack 

.StG^j^it^iU (SS) jegs:^r<ir H Uj<idc<i wxih a new selector vkhte. 

4,6 1 ASK SI All?: SKiiMENT SELM: i ION 

Siwiiehes i-mo iifid out of raik.s., \'3] Ihior to £V£ry imk 
svvkth 5>f>t'r<iVf<>n, the TSS ^trfeetor is jjenjtmfzr.ii by the 
8<^^86. seieetfM ii>ijffr«c>!. be nwJI. rhe tabic- imHeatoi 
mtist select the (501' and the 0DT frwst be imtalii^d^^a 
vsMd. Tfe iAhk indiJX tmst tK>t e^ce<;d ihia hraii of ihi^- 

He\t, the rSS destfipfor sefccted by the TSS^.^^^^ -is 
scf^Jtimzed by the Sf)486 f-or a task caJi, the TSS 
dc^cnj^tOF Btssy mii^^i ifsdicate that the ta^ik ij^, idk. For 
a reiuiTi, tf-isrtg the JREi jji'itnjclion^ the Bli^jv bit c>jl iIk; 
task ntust indic^ire thiiiib^ iask':K stat^ij; wan Busy, llic 
Scgn^eriit F^resenl bit must be scl .: A privilege Jevet check is 
perf^i mecJ 

FifiaUy. the^04B6 vaMdaEe?* ibe ttatii coMined in th^ t;irget 
TSS fts it pre|*amf^ to lossd the contest of the TSS Tbts 
i.ne)sjcie!i v;iJldatiori of fbe folJowing fs;eiet.lor> ^Jtid 
descnptors: LDT. code segrrserji, data segmeiii* slack 

4.7 TA5J]K GATE iSELEtmC^ 
Jfust 35 code, data; stack TSSs are vaMaled m a 
^jtjgmn rui>s^ Uie ^fJ4Bf^ ^crfV)^^ Of task gates 

duril>g task switches ^I't^^ taj^k*. ^^^^^ tjniike the oifeer 
&(E^n)ent^ that wt> Jiiave discussed th-a? far, a tiis^k ^te 
descjipior does rtoi r^fersfnce: a 'task gate segmeiit'. 
Ibivtead, ^ Usfc 3g»te refoxrjCes a TSS vj^s a; TSS . selector 
thf-tt ii^ i^^tored in the tfi$k g^te deJiCriptir>r , 

]3 } Pnqjr to ^t^ry task swiich oper^t**>3i thn^Jgb a ^ate, 
the giveft tajilL g4ie sefector is stf\ttifii:?.eti by ihe 
Tlift tiSibl^ mdiGOt^d by IbB iJstbler itHiicator (litist be hmalleti 
atid vaM. Xbe tabJjP index p^^^ by the selector rami 



mn frxceed the limU ot" the tabic msk g?i.ic descriptor 
ff^usv be viiliii. The TSS scku^or i^mst idcmiiy ;i valid T^S 

NiJjJti, the TSv^ 5eJcaor arid iiescrip^ar aie scrutmhpj^ by 
ih^ B048^^ wxi^v covtrrcd in ?sKi:tio« 4,6» Task Si<»ti; 

Bn [iitv , the vaHtt^ies tl\e daia corstaiised i li the isr^sr 

^s il preparers to ipsd tbc c-'t>iitt^xi of ihe taf get TSS^ 

ijystem. The lufo^iec desigri ttses task gaics for eii^try mto 
<:.-vcxy task w ihc system, incliKiij^g llK; ifssen-apt hiiMles-^^, 

Be^tbre an LOT is sctivaj^id, tfie IJ>T sfilecter atid the 1:45^1: 
<^<?$^;si|Hoi" iHc vfilidgkiet! by ?S04$6. lis ilii; lafoscc 

It mait? rfi^tie du nog sy^stem opfciiiUOi). 

iX>T i>e Joaded is iteruUwt*!<*d by ihe 80486. The tabkr 
indicator musi acXt^t thft GV>T iirii the dDT trtttsr ixi 
irtst^lled aud valid. The table index mwsv be withm ihe 

iimuis of she GDT The LOT iiescn ptOF mus t v alid 

5, lNFOSECiJ«>4^(i FROTECrrEB MOOE FEATURES 
This, sector detafi:^ ;iSI fei^mrtj^^ e:mf>kiye<5 >n the 

desigjr of the ?^TDR ijvfttsee softsv^iFe We wi iVd^^aw ofi »iie 
mate I sal discussed in ppcvjous* sections as ihe l^fosec 

th^v ^fHPf? ififo&tic sof$tf^;iffe i^L piininai^eti itito siaftware 
security giTcjiips, Xiacti software seeujity group is comfinlse^ 
of «)He or me»e 8{)4i?tv tiisfcs. A task is tfeilined «J the i<04g6 
u^iiti^ a TSSva system Slti5<itiim. 

EstJj |«4"oscc i^xfe is trcflijeti by its aUfit>wtes \vhich it(c 
held by task's TSS. Iliere are mafsy atlribujes but the 

s«l|jmeoi; j(0S)i sitacfc segment CSS) and LbT. 

In addirjpn to atlnbiiics. a TSS is also the yeeeptade for 
th?. iORtexi of t^ie task. Witet! « task is cMetJ^ the 
stoi?e? the jcmwxt 4t' th^i t^jftejit iit.^j£, the catfet, !» iha 
ctirrssm task'x TSS . Th^; 8Ci48.6 «bcn ajtijit^pSs ti> load thie; 
c-aifee's "TSS- Afc this pomi , the vahdates the drtta ift 

rihe ciaiiee^s TSS. Tf any of these vaMiiiipn checks faiL ibt^ 
804Htv proc^sjmr faises exception anci the; litfcisec 
down, jf ail srhecks arc successful, ifte ki4S6 toads its CPU 
tegTstitirs mih ihe dm found trv ttw TS$- 12] ltt«r 

ciaia to be Jtjadcti includes the C& , PS^ &*S, tiiP, LDl'R. 



itt TJsldirion, a b^itkliTik to iiKi caHcr is stqre<^ in Chi; cajlce'-i 
TSS so ber *JScd if* rtf^ti>fTi stjqvMirntt?. If the ^04^55 d<^tt^nrsJjj^^^ 
i.i^^it Uie bscktink B^';:Sd frojitairss invahd dim., it rai^e$ m 
excepiioi^ ^^nd ihe lnfo^ec shisis down. If the backljnk fitki 
jis vfljjd. t*s it sKoyHd bss^ the «;<>ytTf;?si <jf the CftUcsr jtk^iitilteci 
by ihe backiirik Jk^kJ iij^ rtr^roiod, Orjce again, pfit>f to 
k^adin^ ihe regisjer^ with the dai^ \m\ slore'd in tfst? 

caller s TSS, tte i?04K6 va3idaic^> th<; data. 

Tiie dcsit^rt of ihe j nternipi hand! ti^g iieary its of ihti lufo^iet' 

abtive. The inftrfnj|>ied issk haSr m tjpponynity to ialoix its 

reubrjv fTOfn irtittrfxtfjt, (ht context oi the ijut?mvpt<id tii^ik is 
r«r:.fo5^de(j mid cxtojiiioTv c^jiUifsii^i;- sca$:riiGSi!;y . 

TASKS 

trr!{>letnient<^tiQft c^iminati; in eittj# thp sKutdpwri or restfi 
of thfe procet^stsr Th«j first NMl whii;;h 0C<;iirs servi ai 
the ver>- fmxi instractipn bow^dary When the 804^6 yct'tors 
to xh e 3pproi>d me ha«dlej\. 

The, Aiarm; l^andftfr Task handfcs iiii txliitm^ m<i xeroi^c; 
requ^sisj jirid ruris a5 prtivHege icvcl 0. Tiiis task is invoke-d 

gCTjeraicd by the I^P<jA,; 

The Ir'xeepfiijn' Ha«d!,ier lasit baiKl^c^ all infeniaJ Si0486 

5J 2 1NTERRI?FT HAN 

to The miihsecc^nd um^t ii^ierAipi gt^ncfatcd by Ji^^os^oc 
h^irdwiiire artd majritjiirii* ^jtid checks critic Tins 
t ask t:uRs a J prtvi lege Jevei 6; 

Xhi^ Pfotm:i^l PrOce$:>tJt h>rcrrupt HjTUfsdier Ta?^ik te,S{X>fiids tii 

btifier afwl Mitt tiEiKer iJitemipB from the Proiocol 
|>rocessar. Thii ^asfe nms at psivilqgc ievei p. 

The W*iVf^i\>r!Yj Pvoce?,<ior Imemtpt Handiei Tii^^k jespCiti^tts. 
to l>ivft<ir intcmipts ^r«jn the Waveform Processor. ThiJi 

The OS iD I CiJOtrolier h\i«it\^pt Hand Jer i ask responds to 
dfiiii AUii s tarns, mtfimipts fmm tfie DSlOi cofrir?>lEer chip. 
Tho DSlOl CofstitJiier itwcirmirt Haiidler task (Tins ni 
pf ivilege Ic v^jl O. 

S4.3 fNFOSEC APFl-IC!ATlON TASKS 
There are a number of l«fosec appUcatioR tasks/ These 
tasks mn ai various. privitege teveis consistent with 



system. 

Tiie Scheduler T^i:s}i^ rum av fjirivi lege levtsl 1 m4 M 
mspmmhi^ for the <lisp£iti:h t>f other ifjfosec tasks in 
i esptmse ip stMe, sitbsiaie and error (ptiwie ifrfoirri'iati on. 

5ieqiiewc^s to mitiaiize tfee system strtd p&rform po*^r 4rp 

ifb^ i^rid W^rk Ta^k is chilled i>y ibc Schedifji^f tis^k whcrr* 
$h« systeiTl iS fdie. Tsisk Find Woik icie»ttftes and 

"rhc BackgfOijrid Built In Test Task is calSeri pcnodtcalJy 
by ihe Schcfiiifer The H^BiT %^$k is re^^prnisibte ibr 
Itsstiitg 4fi iTitT<?Rscrrii<>f 8AM Of ftOM wit^i c:»^ch ca^l. 

ihe Schcdufer laskwheii the Find Work tii&k has ^ieiecteiJ a 
■Ritfj Btr' message ft t>Tf I th^s Pfptocolprocess^r. 

Hie FtJid M^?>^^<^^;t T^$k ^^^^^^ a$ a Schtjdult^ir mility k 
mtis at priviiege teveJ 0 io faeilitiHe aiid expedite raes&agt^ 

The Fill Ta&k runs M firivikge>Ievel perfo^ 

The Uutmsttjd R^id Ta^^kjj m'n; <il pth ilisgc tev>?J 3 an<:J 
perfbnT^ processing t^ns: r<e^^4 sid*: (pJai>si«xt> of the 

IT-te Untmsw^d Black Tasks rm^ at j^nvj)«g:e leviel 3 amd 
itifo&^^c board. 

Ihe Trusied Bypass Task rtifis at priviJege level 2, U 
trusjtjti be<:aii&c n h?** ^ccfsss m tm^ red a«<i black 
Sides pf ihe Iiifoscic- 

5>2 LOCAL i>E$cmrFOR Tables 

The rose of Hn LDT is ?<* ffjjnce Jrt a task. The LDT 
cJistiTMr^Ecfs exactly wliich $«?gFneiit$ 'Sic iivailisbkr tjo^ » ta«ik 
a«£ii TO whiat e>i?eirir. As t^ie name jiTi:pHes,j»tf L0T is a ^hle 
which hfilds deseripiofs. As a :sajf«giwdi, -ihe Infoji-ec 
sys^tcm keep5 all LDTs in read-oriiy mGiriojy. 

5.3TNFOSEG GLOBAL DEJ?CRirr0R TABLE 
A <}DT delineates exiacJly whie^s segmcnrs are iikvaiiahie in 
aJi sy&iem tasks, aiid to what exitsnt. As th<? ijame imptisiJiv 
a GOT IS a table in fi^msJFy that hpid? global descnpiors. 



The jjrfosec GOT mEisi iri wtsieabk* memory 

bet^tHS^i come^^Ki: ijxferfTiaiipii^ particulibfly for TSS 

{^M(oiriiaiiA;^.Uy upors catJ and reiprii tyf tajiks, 

| L 2. 3] 'r?^e pjtttec:t£<d mode providers fm iom i^j-ivnegsr 

the C PL dete rm j ned w he n mTininig iin protect ed mode ? 
m6st $y steTm> ihe j>rivdtige: kvel 5>f the Cixle siegm^ 
whkb contaks the cofb that b ewiTcntly ex^Jciinmg h th-^ 
CF-L, Tk\e ^mm': ws«s the CPL io pai^t or toy the 
tuvfCBtly e^tes^wting code sec esis it) t>thcf segiiFi^mri;, 

6. FHCyrECl'ED MODE FEAtl?Rf:S ANB 

5NFOSEC SDFi:WA RE ASSURAMCE 
The It^foacc system sirtictiires, inciudtog the GDIV i^^T, 
L'DTs, TSSk, cod^s data, md stack segment de.*icnpH>rs.. 
and tajik gate dejicriptws logeihcr wtih dehbef site pnvi lege 
jev<;i aSkjcmioii, accf-*;s alkjcaiitjn, RDM vs. EAM 
pJ^ic^:mem, frKi:i} sta<:k and d<*t.£i $<a:gm*?rir ^iz^s. and 
infemiiitioti hiding pjovide fm: buiU-\n tayers i>f 
pn?t^ictian- Fhese struc?^jr<iH. as jFiiplenjented irs the Infosec 
softwisrc destgjtf provide tiiaitipJe levels k4 re^l-nme 
softwsire tlow vefifjcavkm as wi^Jl as lea^ time data Bow 
verdltauoft - ail ar luruimc. These ^sr^ittufes are 
jnlrod«i:ed irilo the system at tht^ Jiok phase and iitrc present 
iLiXl utilised ai rxifHiatti The datii thtil these sifyct^fes 
provide to ih^:! 804S6 undergo; a vancty oi" dai^i imegmy 
checks with evety iiccess of the dma if my daja falls the 

a:nd t^te InfoiiGe: «oftW(>r« sl^uts down the system. 

J.it this Wfiy, aiitmpts hy togue or ct>r?vpict3 sofivvajii to 
at^cess data jltegiilly cm b« detected at mat i we by the 
S<ktS6. In addaiotj, ct^j'i^fKJAetit lailures swch as ROM hiv 
emjf s and RAM bit en DfJ> in specif ic QiXl, IDT; LDl iind 
de^scopior I'ields can be tktccied by tlie SCMS*? a? Jtjntif?^« 
atid Ba;|:ged to the inf osec sofivs^are. 

64 TASK GA^rElS AND SECDRITT 
liifcjsiec scjft waire denign uiiUaaes task gjiite^ 4is 
misiii^ui^ Sm siritFijjth^niiTig the jst^uiiiy ppsri meter of a iiisk.- 
All task ^ates In Uw; Infojsef; sy susat ajc (lf0«ed it» l^pjs to 
limil their SvAiljibsJjly. 

in dlarifymg the n«cid for iask gatcs^ it is useful bn^-fly 
/fSS di&scfiptor&. [2} hi iii&^nio&Qc %y^X^m TS^; 
descriptors have a UPL of 0 and iife stored io the GDT as 
TeQwc<?> Since the jsdj dersctipiors: iiv ihe GD^^ 
to aJl tasks^ one ;migbl t^y^ptci that J3i>y task can <:aM a«y 
ot^er task. 13] This is not the cas^: Aticordirtg; to thic reJes 
ot privi^egie, a TSS with privilege level <) c'aTi only be 
caJled by another tsisk that mfimtiis at privilege level O, 
lb thcj Infos^ic system, mmy iaLsks at kjwer pmilege 
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levels jjs itSenlified by tiieir CTL. To emsiile iQ^^i 
pdvilfeged task to pass cajtuxji tt> a mo«? ^nvi kgerf i^^k, a 
task gate i.s Ui'icd, |3| the i'Sij j>nviit;g<^ ievi;! <ihe^k is 
;re:plaee:d by a privi^jge Jeyet cht^'k ait tbe if^sfc gale, the 
first line 0f defense. Each i^sk gjjte l3iPL de&igueO ?o 

cijsurfe it sutct'sstui caVL 

<>.^: THE :TSS ANI> SECUEiTY 

TBE ROf.K OF THE tSS S 

Tiit: fiext l^vei of defcmii fr(>m wncie?^otG<!^ <^ 
iaUute 'm she infoseti sysuim suppiie^i by a task.\< TSv*i 
JiCjcaof A ?;eleat>f thi^r references a TSS ci<t^>cnpi0r 
zjJways pOir^ls \o the O0T because TSS cS^scrtptors t:aii 
onW he tfcftoed \u tha Gt>7' As <iu cxarjipJe. if ttic TSS 
iiiiljevtof specifier thftt the TSS deseriptw is i» th^ LDT* the 
804B6 fms<:s c xce pHO^i ;ami U>e I»fos«e; sh ots the *y ste m 
<k>wj) iiince ihi^ H asi siiegai selectors An trtvaiid $elector 
couici be ihe Tc^ui! or ROM commorient faihi rc which has. 
CD^^^^p^e<} the TSS liekcior Tfxe irtciex fieid of the TSS 
selector is ako vaH:d;t^e<l hy the 804E6. An if^valid ifidcx 
causes the gefsef ate m ^^xcepriafi^ and the ln1?<;kwerc 

shins dovvti. 

6*2,2 THE am^K OF THE TSS DESCRir^^ 
A task*K l^S descriptor intivid^s r he next Jevei of defeat 
fiTom uiitietcGted compoDeiH faiVure in the Ihfosec syslem. 

validation steps, <>ne worth meijiiiorung is the TSS 0Pi 
check. This is of is«<:i«Si we kti<yw tte a TSS 

<iescnpiof miji5« be siliocaled to the 013^1, thiis makiiig i^^k 
tfescHptdr aviildb'Jc! to atS «askis m ihe system. I K 2, 3 J in 
ofdcr fwr a task tf> &iU'!.x^!>?i fully ijt;c;^ss ihe iaigei TSS, ihe 
ta.sk rnmi at Jeaiir as pT}vi3t-ge<J ^he targeled TSS, U a 
titm keftieTfevtji task sKosild emweaustly ^lUempt to access 
a TSS cJts^ctJyy wkhfiiir [>3;^st»g tbfoagh a tas^ gate^ m 
tnviilid TSS exccptkin is rai&ed by the anci ibe 

1 nfosec shuts t Jois^- ft - 

Aij the Infosec soJtware executed; task sw«c]i*es occwr as a 
muji of caSis. iifitetTupls and rctMni?^' I?i ^/tei a imk. 
y^wi\<^ h inHbtedfor chher 3 c^illd^ * rei«nj, the Busy Bit 
ITS me caifce^s TSS i^^^ is vaJitecJ gjfrigr i^^ ij^etng 

wetteti ip *>y the If t*ie TSS des4sriptor is alrcaciy 

marked hmy w^hen b caiK is attempted, tht^ B04JJC> raisej^ 
e?i:<;epti<>n and thfc intosec Sihttts down, (^jj if iln" TS^ 
descriptor is atlreiiEjy imaffced iitt!?: t>a is remrn, the 
f^5€<f an eXcejjiicKri and tihe Iftfo^c shuts dw». t^hesG 
chGvks ajc ai^toniatkaJiy p^rfonmcd by the §04S6 aiid 
b« disabled vvhfje iiv pitstecied jnotie. An wjcoi^ct 
vnim siof^d «tt (he Busy BsC of the TSS descripior coulil fee 
5* sign, at BU-VM c^^Hipon^'iV faHwre or she result of ari 
ctToneoxJs wtn^i i<3i RAM. 



iti ivtiditvpi] to the Busy SJii, ihc TSS dtssedplot also 
contains other fieidi that validated by th^: 80486 uvi€>n 
each task .tsvitch. 

The tBsk swiiyh ixrejcmitig for a tcmm ffo^^ ^^1^^^^ 
m the i-^ilej^ task t^ via ihe backlmk f1«\d >n the cisllec'^ 
TSS, Theliackiiok fieid contiims: t^^^^ siilector th;arjfK}mts to 
the caMssr's "FSS, The return tmk $w?tch is pexJomniJtt 
dinjctiy Via the TSS <ksefjptajv«fti»g. Utc back! that >:ii;S 
slOTed at the tirrse »f the cail. j[2j As with ail sef<sci<>TJ^, the 
Si)486 perfomis thi^^ prescribed ysUdatiori checks for aii 
IREF. r^stijfn frum Irttemipi, tmii^tti W o« iiiilask rtmrtt'*; 
The selector mme^ m the backiink field rnwst pomt tt> a 
valiti I'SS des^^npior th3i is withm the fcatindaoes t)f th*i 
GOT. The TSS dc<»cHptc>r i^iiit indi^^ate that (he task lo be 
Fetttmed tc» is mMked Busy. Any fiiiture iw ihc valitdatitm 
ot the seleciior t<»i's^^ lo xp^R^t exeeption. In 

tesponsie^ th« Info&ec &huti> the sy stem down 

^^.23 THE ROi.E OF THE I'SS 
f^maUy, a task's TSS M$|.^>he.s valusibic is^fomjatio» xhm 
cm cnabje the K> d*it«c:t a tallure. A TSS 

hidicatesi to the 8(M86 wl^ene the tatsfc's Citade^ d£it3^ Msck 
nnd LDT CMi t>e kwsd. 

If the Infost'c saftwai^ ^ittempis to wHte io TSS. the 
80486 f aisiss m ext^paoft ajid the Irsfosec huts the steira 
down, il, 2) The 804^6 d*^s^<^t$ bivahti access bec:au5i«r 
the 'Sys^tsjTj' bit of a TSS descnpior b set tC) mm 
idtijitify the TSS 4 sy^m^ st^cliire Th:<J |?revent!^ 
&i^ct fkx'ess to syt-h; stftjctures. 

Once the TSS >ielet:iGi 3jid ifcscrijjvor h^ve p»ss<jd the 
^m^6 mMmOii check, the aiuibtitt; seiccsots. (for 
code, d5J 13, Slack and tDT); iire cterked. 

^3 TBE GOT /^ND SECURITY 
The m^m prevemii the }«lb^ee s0fJ\^^tTe fre>m direclJy 
iicxessitig the ODT and all other ity5*tein sinictai^. it the 
Infosec software atit^mpt to write to Jli? <5i"5'r jirectly, the 
804B6 raises arj ej^cepttoiv md the Infos^e '^hxus dwWtt. 
M THE I^ffrr AW SECURITY 

iBAA TIIE HOLE OS? Tftm U)T SEi>ECTOR 
[2] A sekx:tar tbm iTeference,^ ati i.f>T descriptor alwa^^s 
pcjjnts to the GITF bet sAise LOT descrtpior* can tiiily be 
deiified itt the? GPT.Tf the LOT seteor specifies that the 
LDT descriptor is m An LpT. the S04f?6 raises iijv 
ex€:epticm and the* Ififosec sh«t& dovvn. A« inv a ifid elector 
eoiild be the resxilt of fs RAM btt ertxir or atv erroneous 
write t^tio ?he TSS whicii has cojtupted the LPT selector. 
The index JieJd cjf ithe i>DT seieetor aJso valitoed it 

fait within the litnit^ of the GOT: 



6.4,2 THE ROLK OF TKfE LETr BESCESFTOE 
The LI>f ^fescriijtm is composed of the fotU>wing ficJds 
wfijciv ^itfe y^Iid^ited by jhe 8{}4S6: segment pres<:nt kxL 
f>pL, sysjem bit. A failure in the valiiJalksn of these Ticlds 
c?iyscs ih0 to raists ars excepijort <md fht ]nf^>sec 

software shuts'* ihe sysEtj« iJow«. The LOT sje&crriprtjir aisc* 
ct>|iiams tht LDT basis iiddrttss and; ^tsm^ 

6.4.^ THE jftOLS OP THE L»T 
Tke l>Dt t& a table of xlescriptOi^ for metTiioi y scf^ itic o is, 

LDr is active at a^sy gjvmi ti'me. |2] A »^ew LOT c-^tFj 
rfjplac*^ tiitr ctirrerit <>fje via » task Kwiicfi due to a ta-*k caH 
m i»sk return or ^ia ihs? Load LWf msiruciiw whic:h 3$ a 

to issue iJte LLDT wTifnsj^d, i^ie S04S>f? ^^erieratcs 
exee^ptto md tlje inS<>st;c i^tmts dawn If^ (his way, 
csTCJn^pus Soatiirtg oi afj L0T by !e;iser psivilssgtsi^ tasks is 
pre vented - 

4,5 sm.E€ TORS AN1> sEcuiirrv 
[}, 2, 3J The rs^j^J susp is m \<i\Uim ih^ selectors With 
F<^sp«;iJt the s£j{moy infl^jx iitvd RFLh If the jfKicst Jield af 
it sckt'Eor is out si fit' of the i^ihls fopiifsiitary, the sekctor fails 

sJiut doiWft . Si»£;h >i faii ure iiujuld be ;sri indication of a RAM 
componcfll faituiT, fiK^ emjijewis write 10 RAM. Of a ROM 
catnpom^-«V fiiiitl^ A Jajie<J privtJ%e k-vi^l check also 
i-esuivs j« systeoir s}mKi«w». Tinis type «f iai lore caii lie 
a*inbtiu:d ii> & RAM tjr ROM fskttwsrt;. 

6.6 COBK SEGMEOTS ANI> SECtJSiTY 
Fr6ie<;l)S«i meitie t?^t c*sft$ miS reitimns; cause t^^c ^{MS<> 
^ititm j>t lodii tfje C<x1c S^sg.rr jciit sr egisier with <> iit^ w 
st^tmof. t2t Brsi, thcr sieleciw" valiiiated^^^^^ then the 
offstj. FiP^aKy. the pHvifoge check occ«t)s, Bxetution 
prdcii«?d^ Otvl^f if iilt of ?3>slse ttm^ piiss. 

5.7 fSA TA SECMi^NTS AND SECI/KITY 
12} Jusi ^ii^ with c<xie ,»^cgineiit selectors, 

exccotioii, The ->e!ector mni offset are vslidaJcd. Tiniiiiy, 
the pnvilt^ge cheese occma, \t ^\ of these icsts p^s. Else 
iiiila .segmefit register is ksadefl v/jxh the seketor. A faihiTe 
cattiit^:^ Use ttj rjtise -^n' extifpitknt mH\ the IfiipstHr 

Fihuis ihG system <iown. 



^.H STACIC;^SEG:M:ENTS AN0 SECIJKITV 
|3| Every a new stack re le re tkc occurs, iht: 
validates t^sr citldrcss before laadij^g $^^« se^ecur ponH^rt of 
iJjC aikJrerss sfito the Stijck Segmem registter. Any acces^i of 
the stack ciiSiNft^ the ciffjse? ponion of ihi^ far mMxcss io W 
validated before bt^irjg loadcci hiio the BMS6 Bmcndnii 
Bits*? f^oiiitef/Extead^i:? Stack f'ob>ter Fma]1y, tVre |>nvHege 
cfeee:k uccwrs U nil of ihmc lesiii pji^s, the fitack can fje 
^iccessed siucc^^ssfiiliy . If afiy of ihts validMUjn thcckw fail, 
tilt: 80486 fflL^es aft exceptioji antl the IniD^^ec softwaie 
shiUs ^y sierii clown . 

^ 9 THE IDT ANttSlCCyitniif 
The 1|->T k accessed l?> che SG4E6 when maskabit? 
interrupts, non-masfcahfe tmerrupts, exceptioiss, saa^ 
software gesieriitect tntemtp^ts occitr The hifosec system 

tfK;iJiioas to txpixcMy hm<ii^ every ^ijsstbie ioscrmpt/Tix; 
protected nft6<fe 5DT js !fv^t:ill6d in UOM. This euharicGs 
systetn ^iecwrity by prevs^fuing any er^t«i«:ous vyriies i'mm 
ifesircyiiftg the ititegrity the; IDP tJ^tta 

tn ill I paper fijany of |{ie pioJecsed niode jeatiiFt??^ of the 

Retail This p3|>ei draws ofi th^^ expend! nee gained from 
buiidmg a secure embedded operating 5 wjth niJii- 
ttme fc>n^Jtraitifs for art $0486 laigei The jisfosec sof^ warfi 
desi gfi i^ictjfporates to any protc^rted imydc lcaruf«^s 
ir$ciudir$g rejectors, tiescriptHDrs, I iyrs, CxDT^f, 

IDT?^, mfc gtiteji, TSSs ijr^d i^t^kiiig. By uiihzjf^^ ihe!>e 
fejimres, ihc posvcr of the ffjicroprocessor to cf&tf^ct. 

^mc.njt^t>us or unaulhoFiiied meihoFy f^ifirfeftt-c? vvas 
haiTst^ssed to produce re Ualjic sofiv^ait; fryiri cafiy oft ifj the 
soft ware li fe cycte. 

[2] I ntc^tii6 M f CTC'pyOCtiASt^jrs f'Todwcis.. 

Intel C£5f|?<?rationr 19^5 

[3i] PTOtecied JvtosisJ Software Arc hi t^:ciij re. 



